Monitoring for fraudulent or harmful behavior in applications being installed on user devices

US 10,419,222 B2
Filed: 06/10/2014
Issued: 09/17/2019
Est. Priority Date: 06/05/2012
Status: Active Grant

First Claim

Patent Images

1. A system, comprising:

a data repository storing known behaviors associated with known software code components of at least one application associated with at least one user device;

at least one processor; and

memory storing instructions configured to instruct the at least one processor to;

monitor at least one application, including a first application, for installation on user devices including a first user device;

evaluate authenticity of the first application to provide a result, the evaluating comprising;

determining a plurality of software code components of the first application, the components including a first component and a second component,attributing a first behavior to the first component,attributing a second behavior to the second component,comparing, by accessing the data repository, behaviors associated with each of the software code components with the known behaviors, the comparing comprising comparing the first behavior to a first known behavior and comparing the second behavior to a second known behavior,assessing a context of the first user device when a signing identifier used to sign the first application is observed, the context based on trust factors corresponding to a state of the first user device, wherein the trust factors comprise a first factor directed to whether the first user device is protected by an anti-malware software application, a second factor directed to identifying a third application being accessed by a web browser running on the first user device, and determining whether the third application being accessed by the web browser is a security threat, and a third factor related to a security feature of the first application,determining a usage history of the signing identifier, the history comprising signing of a second application by the signing identifier, the second application installed on a second user device, andcomparing, by accessing the data repository, at least one behavior of the first application and a stored known behavior of the second application; and

in response to the result, sending a report to a computing device other than the first user device, the report including an identification of an undesired behavior of the first application based on the result from the evaluating.

View all claims

7 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Software applications to be installed on user devices are monitored. Authenticity of the applications is evaluated using a plurality of inputs to provide a result. The plurality of inputs may include trust factors. The trust factors may be used to generate a security evaluation. In response to the result, an action is performed such as providing a notification to a developer of a fraudulent version of an application or providing a security assessment for an application.

606 Citations

17 Claims

1. A system, comprising:
- a data repository storing known behaviors associated with known software code components of at least one application associated with at least one user device;
  
  at least one processor; and
  
  memory storing instructions configured to instruct the at least one processor to;
  
  monitor at least one application, including a first application, for installation on user devices including a first user device;
  
  evaluate authenticity of the first application to provide a result, the evaluating comprising;
  
  determining a plurality of software code components of the first application, the components including a first component and a second component,attributing a first behavior to the first component,attributing a second behavior to the second component,comparing, by accessing the data repository, behaviors associated with each of the software code components with the known behaviors, the comparing comprising comparing the first behavior to a first known behavior and comparing the second behavior to a second known behavior,assessing a context of the first user device when a signing identifier used to sign the first application is observed, the context based on trust factors corresponding to a state of the first user device, wherein the trust factors comprise a first factor directed to whether the first user device is protected by an anti-malware software application, a second factor directed to identifying a third application being accessed by a web browser running on the first user device, and determining whether the third application being accessed by the web browser is a security threat, and a third factor related to a security feature of the first application,determining a usage history of the signing identifier, the history comprising signing of a second application by the signing identifier, the second application installed on a second user device, andcomparing, by accessing the data repository, at least one behavior of the first application and a stored known behavior of the second application; and
  
  in response to the result, sending a report to a computing device other than the first user device, the report including an identification of an undesired behavior of the first application based on the result from the evaluating.
- View Dependent Claims (2, 3, 4, 5, 16, 17)
- - 2. The system of claim 1, wherein the evaluating of the authenticity further comprises using a signer reputation associated with the first application.
  - 3. The system of claim 1, wherein the evaluating of the authenticity further comprises identifying at least one application having a first signing identifier that is different from a second signing identifier.
  - 4. The system of claim 3, wherein the instructions are further configured to instruct the at least one processor to:
    - determine, based on the evaluating of the authenticity, that the first application has been pirated;
      
      wherein the report provides notification that the first application has been pirated.
  - 5. The system of claim 1, wherein the data repository further stores package identifiers and corresponding signing identifiers for known-good applications.
  - 16. The system of claim 1, wherein the data repository comprises a database.
  - 17. The system of claim 1, wherein the trust factors further comprise a fourth factor related to a security feature of a network used by an interactive service launched by the first user device to access a server.

6. A method, comprising:
- storing, in a data repository, known behaviors associated with known software code components of at least one application associated with at least one user device;
  
  receiving, over a network, data pertaining to at least one application to be installed on a plurality of user devices;
  
  monitoring, by a first computing device, installation of the at least one application;
  
  evaluating, using the data pertaining to the at least one application, authenticity of the at least one application, the evaluating comprising;
  
  determining a plurality of software code components of each application, the components including a first component and a second component,attributing a first behavior to the first component,attributing a second behavior to the second component,comparing, by accessing the known behaviors in the data repository, the first behavior to a first known behavior and the second behavior to a second known behavior,assessing a context of a first user device when a signing identifier used to sign a first application is received from the first user device, the context based on trust factors corresponding to a state of the first user device, wherein the trust factors comprise a first factor directed to whether the first user device is protected by an anti-malware software application, a second factor directed to identifying a third application being accessed by a web browser running on the first user device, and determining whether the third application being accessed by the web browser is a security threat, and a third factor related to a security feature of the first application, anddetermining a usage history of the signing identifier, the history comprising signing of a second application by the signing identifier; and
  
  sending, over the network, a report to a second computing device, the report including an identification of an undesired behavior of the at least one application to be installed based on at least one result from the evaluating of the authenticity.
- View Dependent Claims (7, 8, 9, 10, 11)
- - 7. The method of claim 6, further comprising receiving, from the user devices, data pertaining to the user devices.
  - 8. The method of claim 6, further comprising sending, in response to the evaluating of the authenticity, an assessment to at least one of the user devices that an application of the at least one application to be installed is dangerous.
  - 9. The method of claim 6, further comprising:
    - receiving an identification of a known-good version of a fourth application;
      
      identifying a fraudulent version of the fourth application from the at least one application to be installed; and
      
      sending an alert that the fraudulent version was identified.
  - 10. The method of claim 6, further comprising receiving, over the network, the signing identifier, wherein the signing identifier is a certificate, a certificate thumbprint, a public key, a hash of a certificate, or a hash of a public key.
  - 11. The method of claim 6, further comprising generating a security evaluation based on the trust factors.

12. A system, comprising:
- a data repository storing known behaviors associated with known software code components of at least one application associated with at least one user device;
  
  at least one processor; and
  
  memory storing instructions configured to instruct the at least one processor to;
  
  receive, over a network, data regarding applications to be installed on user devices, the applications comprising a new application to be installed on a first user device of the user devices;
  
  check for harmful behavior of the new application;
  
  determine a first set of the applications that is similar to a first application, the determining based at least in part on identified behavior for each of a plurality of software code components of the new application, the components including a first component and a second component, and the identified behavior comprising a first behavior associated with the first component, and a second behavior associated with the second component;
  
  compare, by accessing the known behaviors stored in the data repository, the first behavior to a first known behavior and the second behavior to a second known behavior;
  
  assess a context of the first user device when a signing identifier used to sign the new application is observed, the context based on trust factors corresponding to a state of the first user device, wherein the trust factors comprise a first factor directed to whether the first user device is protected by an anti-malware software application, and a second factor directed to identifying a second application being accessed by a web browser running on the first user device, and determining whether the second application being accessed by the web browser is a security threat, and a third factor related to a security feature of the new application; and
  
  send, over the network, a notification to a computing device, the notification identifying the first set and an undesired behavior of the new application.
- View Dependent Claims (13, 14, 15)
- - 13. The system of claim 12, wherein the instructions are further configured to instruct the at least one processor to:
    - analyze privacy issues for the first application; and
      
      generate a report based on the privacy issues.
  - 14. The system of claim 13, wherein the instructions are further configured to instruct the at least one processor to generate a privacy policy.
  - 15. The system of claim 12, wherein the instructions are further configured to instruct the at least one processor to:
    - receive, prior to installing the new application on the first user device, information pertaining to the first user device;
      
      wherein the checking for harmful behavior of the new application uses the information pertaining to the first user device.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Lookout Incorporated
Original Assignee
Lookout Incorporated
Inventors
Mahaffey, Kevin Patrick, Wyatt, Timothy Micheal, Evans, Daniel Lee, Ong, Emil Barker, Strazzere, Timothy, LaMantia, Matthew John Joseph, Buck, Brian James
Primary Examiner(s)
Lemma, Samson B
Assistant Examiner(s)
Dhruv, Darshan I

Application Number

US14/301,007
Publication Number

US 20150169877A1
Time in Patent Office

1,925 Days
Field of Search
US Class Current
CPC Class Codes

G06F 11/3604   Software analysis for verif...

G06F 21/44   Program or device authentic...

G06F 21/57   Certifying or maintaining t...

G06F 21/577   Assessing vulnerabilities a...

G06F 8/60   Software deployment

G06F 8/70   Software maintenance or man...

G06Q 30/0241   Advertisements

H04L 43/04   Processing captured monitor...

H04L 43/06   Generation of reports

H04L 9/3247   involving digital signatures

Monitoring for fraudulent or harmful behavior in applications being installed on user devices

First Claim

7 Assignments

0 Petitions

Accused Products

Abstract

606 Citations

17 Claims

Specification

Solutions

Use Cases

Quick Links

Monitoring for fraudulent or harmful behavior in applications being installed on user devices

First Claim

7 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

606 Citations

17 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links